Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Google accounts attacked and hijacked by this devious security flaw

Digital clouds against a blue background.

Google’s Cloud Platform (GCP) was vulnerable to a zero-day flaw that allowed threat actors access to people’s accounts, and all the data found there (Gmail, Drive, Docs, Photos, and more), researchers are saying.

Experts from Astrix Security found that a threat actor could create a malicious Google Cloud Platform app, and advertise it either via the Google Marketplace, or third-party providers.

If a user installs the app, authorizes it, and links it to an OAuth token, they’d give the attackers access to their Google account.

Hiding the app from the victims

The threat actors could then make the app invisible, and hide it from Google’s application management page, making it impossible for the victims to address the vulnerability. The method of “hiding” the app is where the zero-day lies - by deleting the linked GCP project, the attackers would make the app enter a “pending deletion” state, and thus make it invisible on the application management page.

"Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account," the researchers said.

Then, whenever the attackers saw fit, they’d be able to restore the project, get a fresh token, and retrieve the data from the victim’s account. What’s more - they could be able to do this indefinitely. "The attacker on the other hand, as they please, can unhide their application and use the token to access the victim's account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a 'ghost' token to the victim's account."

Astrix called the flaw - GhostToken. 

It’s also important to mention that the impact of the flaw depends heavily on the permissions the victims give the malicious apps.

The vulnerability was discovered in the summer of 2022 and was addressed in April of this year. Now, GCP OAuth applications pending deletion still appear on the “Apps with access to your account” page.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.